https://wiki.idesg.org/index.php?action=history&feed=atom&title=Privacy_Req_2_Supplemental_GuidancePrivacy Req 2 Supplemental Guidance - Revision history2026-04-16T11:30:28ZRevision history for this page on the wikiMediaWiki 1.38.4https://wiki.idesg.org/index.php?title=Privacy_Req_2_Supplemental_Guidance&diff=5811&oldid=prevOmaerz: 2 revisions imported: Initial Upload of old pages from IDESG Wiki2018-06-28T04:03:00Z<p>2 revisions imported: Initial Upload of old pages from IDESG Wiki</p>
<p><b>New page</b></p><div><br />
{{Under Construction}}<br />
<br />
''<< Back to [[Privacy_Req_2|Privacy Requirement 2]]''<br />
<br />
These links are provided as additional informative resources relevant to parties conducting self-assessments (and other identity stakeholders) when applying and evaluating IDEF Baseline Requirement PRIVACY-2.<br />
<br />
=== Supplemental Information ===<br />
<br />
Contracts, assurances or persistent records of consent or legal authority MUST be established by entities collecting, using, transmitting or storing personal information, so that the information, when passed between entities, is still used in the same manner as originally specified and permitted. Entities also must assure that their data controls reliably apply these limitations to their future actions.<br />
<br />
Please note the applicability of requirement [[Interop_Req_7|INTEROP-7]] regarding limitations imposed by laws. Please note the applicability of requirements [[Interop_Req_6|INTEROP-6]] and [[Interop_Req_8|INTEROP-8]] regarding limitations arising from the involvement of THIRD-PARTIES such as intermediaries, similar service providers, or FEDERATIONS.<br />
<br />
=== References and Guidance (non-normative) ===<br />
<br />
* See ISO/IEC 29100 (2011) Privacy Framework, Section 5.3 ("Use, Retention and Disclosure Limitation") and Section 5.6 ("Purpose Legitimacy and Specification"). <br />
* See the "minimum necessary" disclosure standard in HIPAA regulations for health care transactions, 45 CFR Part 164, at ยงยง 164.502(b) and 164.514(d): http://www.ecfr.gov/cgi-bin/text-idx?node=pt45.1.164&rgn=div5 <br />
* See also the Fair Information Privacy Principles: "Organizations should use PII solely for the purpose(s) specified in the notice. Sharing PII should be for a purpose compatible with the purpose for which the PII was collected." http://www.nist.gov/nstic/NSTIC-FIPPs.pdf<br />
* See OASIS Privacy Management Reference Model (PMRM) v1.0: Section 4.2 ("Service Details"). <br />
* See Privacy & Biometrics: Building a Conceptual Foundation: Data [p46],Audit [p47], and Storage [p47].</div>Omaerz